Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe:

  • A sharp increase in abuse of valid accounts
  • A pivot in the approach of major ransomware groups
  • Our analysis of the timing and shape of the impact of generative AI (gen AI) on cybersecurity

Cybercriminals prefer to take the path of least resistance to meet their objectives, and therefore it is concerning that, for the first time in our research, abusing valid accounts became a preferred means of access into victim environments for cybercriminals. Use of stolen credentials to access valid accounts surged 71% over the previous year and represented 30% of all incidents X-Force responded to in 2023, tied with phishing as the top infection vectors.

Abuse of valid account credentials is top threat

As defenders increase their detection and prevention capabilities, attackers are finding that obtaining valid credentials was an “easier” route to achieving their goals last year. This is not altogether surprising, considering the vast quantity of valid credentials easily accessible on the dark web. Yet this “easy entry” for attackers is hard to detect, requiring a complex response from organizations to distinguish between legitimate and malicious user activity on the network.

Phishing, whether through an attachment, link or as a service, also comprised 30% of all incidents remediated by X-Force in 2023, although the volume of phishing was down by 44% from 2022. The significant drop in observed compromises through phishing is likely a reflection of both continued adoption of phishing mitigation techniques, as well as attackers shifting to the use of valid credentials.

Additionally, X-Force observed a 100% increase in “Kerberoasting” during incident response engagements. Kerberoasting is a technique focused on compromising Microsoft Windows Active Directory credentials through Kerberos tickets. This indicates a technique shift in how attackers are acquiring identities to carry out their operations.

These shifts suggest that threat actors have revalued credentials as a reliable and preferred initial access vector.

Explore the report

Rise in infostealer malware as ransomware groups pivot

The abuse of valid accounts as the top access technique was accompanied by an upsurge in malware, known as infostealers, designed to steal information to acquire credentials. We observed a 266% surge in infostealing malware, as we observed groups that previously specialized in ransomware pivoting to infostealers.

Despite remaining the most common action on objective (20%), X-Force observed an 11.5% drop in enterprise ransomware incidents. This drop is likely a result of larger organizations stopping attacks before ransomware was deployed and opting against paying the ransom in favor of rebuilding if ransomware takes hold. (It’s worth noting that analysis of ransomware extortion sites indicates ransomware activity globally actually increased in 2023. This appears to indicate X-Force clients continued to improve their capabilities to detect and respond to the precursors of a ransomware event.)

Although X-Force observed a drop in ransomware attacks, extortion-based attacks continued to be a driving force of cybercrime this past year, only surpassed by data theft and leak as the most common impact observed in X-Force incidents. For example, X-Force responded to multiple incidents associated with the CL0P ransomware group’s widespread data extortion attacks through the exploitation of the previously unknown vulnerability in MOVEit, a commonly used managed file transfer (MFT) tool.

While zero-day vulnerabilities like this one garner notoriety, the reality is that zero-day vulnerabilities make up a very small percentage of the vulnerability attack surface — just 3% of total vulnerabilities tracked by X-Force. In 2023, there was a 72% drop in the number of zero days compared to 2022, with only 172 new zero-day vulnerabilities. While the total number of zero days dropped, organizations should still emphasize knowing their attack surface and identifying and patching vulnerabilities in their environment to prevent many attacks.

Generative AI attacks have potential, but not a direct threat yet

Last year will go down in history as a gen AI breakout year. Policymakers, business executives and cybersecurity professionals are all feeling the pressure to adopt AI within their operations. And the rush to adopt gen AI is currently outpacing the industry’s ability to understand the security risks these new capabilities will introduce. However, a universal AI attack surface will materialize once adoption of AI reaches a critical mass, forcing organizations to prioritize security defenses that can adapt to AI threats at scale.

To come to this conclusion, X-Force reflected on technological enablers and milestones that fostered cybercriminal activities in the past to predict when we’ll see indicators of AI attack surface maturity. X-Force predicts that this will occur once a single AI technology approaches 50% market share, or when the market consolidates to three or less technologies.

Furthermore, despite signs of interest among cybercriminals in leveraging gen AI in their attacks, X-Force hasn’t observed any concrete evidence of gen AI-engineered cyberattacks to date. Phishing is expected to be one of the first malicious use cases of AI that cybercriminals will invest in, reducing the time to craft convincing messages from multiple days to minutes. But although it’s not unlikely to see AI-enabled attacks reported in the near term, X-Force assesses that proliferated activity won’t be established until the pace of enterprise AI adoption matures.

Fundamentals remain essential for security

The combination of a rise in infostealers and the abuse of valid account credentials to gain initial access has exacerbated defenders’ identity and access management challenges. Cybercriminals’ reinvigorated focus on identities highlights organizations’ risks that exist on devices outside of their visibility, and they need to continue to emphasize good security habits in their workforces. Enterprise credential data can be stolen from compromised devices through credential reuse, browser credential stores or accessing enterprise accounts directly from personal devices.

While “security fundamentals” doesn’t get as many head turns as “AI-engineered attacks,” it remains that enterprises’ biggest security problem boils down to the basic and known — not the novel and unknown. Identity is being used against enterprises time and time again, a problem that will worsen as adversaries invest in AI to optimize the tactic.

Learn more in the X-Force Threat Intelligence Index

The X-Force Threat Intelligence Index offers our unique insights to IBM clients, researchers in the security industry, policymakers, the media and the broader community of security professionals and business leaders.

Discover more in the report about the threat landscape and latest cybersecurity trends:

  • Analysis of the top initial access vectors, top attacker actions on objective and top impacts on organizations
  • Geographic and industry trends
  • Recommendations on how organizations should respond and where to start

Download the report and sign up to attend a webcast for a panel discussion with Kevin Albano, associate partner of IBM X-Force, and Ryan Leszczynski, a supervisory special agent in the FBI Cyber Division. They’ll offer a detailed explanation of the findings and what they mean for organizations defending against these evolving threats.

More from Threat Intelligence

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today